Sneaky Hacker Gets Some Serious Booty From Spankchain

Lax security measures have caused the adult entertainment platform SpankChain to lose $38,000 in ETH.


A Pirate Made Off With a Handful of Booty

Stealing tips from strippers is nearly the equivalent of taking candy from a baby — It’s just plain wrong. Somebody should tell that to the clever hacker who managed to make off with 165.38 ETH ($38,000) after exploiting a bug in one of SpankChain’s smart contracts. SpankChain is the name of the Ethereum-based smart contract, and BOOTY is the ERC-20 token used to tip performers during live webcam shows.

As the hack occurred, an additional $4,000 worth of BOOTY was also frozen because of the security breach.

SpankChain admitted that is suffered an attack by posting, “We got spanked,” on their website. Though the hack took place around 9:00 pm on Saturday, SpankChain did not notice the theft until the following evening around 10:00 pm as they, “were in the middle of investigating other smart contract bugs.”

Everyone is Getting Some ETH and BOOTY

SpankChain is still working to figure out exactly what happened, but they did post a fairly detailed explanation of how the attack occurred, along with the attacker’s address, malicious contract, and the internal txs from the attacker’s malicious contract. SpankChain further explained that the hacker “capitalized on a ‘reentrancy’ bug, much like the one exploited in the DAO hack.”

The company should be commended for showing more responsibility than multinational corporations that shirk complete responsibility when falling victim to avoidable security breaches. SpankChain has made it their “immediate priority” to fully reimburse every user who may have lost funds and they are planning an ETH airdrop to reallocate all $9,300 worth of ETH and BOOTY that users may have lost.

SpankChain

SpankChain also explained the rationale behind passing on a $30,000-$50,000 security audit as they felt the $17,000 audit conducted by Zeppelin was sufficient. They have admitted, in retrospect, that paying more for security would have been a more pragmatic decision.

The company has promised to improve their security practices going forward and it is their hope that all users and performers will get more BOOTY.

Do you think SpankChain is doing a good job handling the most recent hack? Share your thoughts in the comments below! 


Images courtesy of Shutterstock.

Source